Are employees the root of most cyber-breaches?

Will Wood Blog

In a time when Cyber-crime is growing at an astronomical rate, are your employees the biggest risk when it comes to cyber-breaches?

The biggest strength for most companies is their human capital and it is usually seen that most of their employees did something at least once that could have left their company at cyber-risk. Its commonly seen that employees prioritize personal convenience over security protocols when it comes to transferring and storing of data, dealing with user credentials, backup of files etc.

Some examples of how an employee might lead to a data breach are:

  • Loss of endpoints
  • Insider malice
  • Poor Password Practices
  • Weak Access Policies
  • Malware
  • Phishing and Social Engineering


A few situations that can be very costly to businesses are:

1.      Email sent to wrong recipients

Many data breaches were result of information sent by email to the incorrect recipient.

For example, an employee at an HIV clinic in London accidentally entered the email addresses of patients in the ‘To’ field in place of  ‘Bcc’ field and the  the organisation was fined £180,000 for the breach of privacy of the patients.

2.      Sending unnecessary attachments or information over email

There are multiple incidents reported where more than the required information sent over email by employee had led to data breach:

According to the Winnipeg Free Press, an employee of the city of Calgary, Alberta, accidentally leaked the personally identifiable information (PII) of more than three thousands employees in June 2016. The extra information was perhaps provided while seeking technical assistance.  Implementation of email security policy would have avoided this costly mistake.

3.      Using Company resources for personal use

Many employees use office laptops and mobile devices for their personal use which may lead to data breach.  Again, security policy needs to be enforced on company assets in order to avoid inadvertent infection of malicious code.

Even online shopping, which most staff expect to be able to do on work machines, is proving an area of great concern.  Here’s an article from Sonicwall on this topic

4.      Insecure Downloads

Each of employees is in charge of their own endpoints, so what they download could be a cyber threat to your whole organisation. It has been proven time after time that employees are frequently not able to differentiate a Trojan-laden file or a risky click to the link sent by an email spammer.


So, what’s the answer?

1.      Cyber Security Training

2.     Cyber Risk Culture & Awareness

3.     Cyber ethics and Cyber Behaviors

4.     Cyber security systems (Next Gen Firewall, email security, encryption, endpoint security, network behaviour analysis)

Businesses should prioritise the cyber-security objectives and should not invest most of their budget on security products alone, otherwise they still might be leaving their house keys in the lock.  At Datasharp, we work closely with our customers to ensure they don’t just buy our products and services, but also provide consultancy around best practice for items listed above.  With GDPR enforcement looming, you might want to consider engaging with us to minimise your threat landscape, whether internal or external.